summaryrefslogtreecommitdiff
path: root/Utility/WebApp.hs
diff options
context:
space:
mode:
authorGravatar Joey Hess <joeyh@joeyh.name>2016-11-10 13:48:54 -0400
committerGravatar Joey Hess <joeyh@joeyh.name>2016-11-10 13:48:54 -0400
commitfa5da899d5f5637a821cf8e996f7d4571464b489 (patch)
tree4144189c8ac152b1ce0af466e34aeed5310dea54 /Utility/WebApp.hs
parent0628a6a986449204cb6d847c1a6a76e5f0222984 (diff)
webapp: Explicitly avoid checking for auth in static subsite requests.
Yesod didn't used to do auth checks for that, but this may have changed. I don't have a way to reproduce the reported problem yet, but this change certianly won't hurt anything. This commit was sponsored by Thom May on Patreon.
Diffstat (limited to 'Utility/WebApp.hs')
-rw-r--r--Utility/WebApp.hs21
1 files changed, 13 insertions, 8 deletions
diff --git a/Utility/WebApp.hs b/Utility/WebApp.hs
index cff5b268e..63ca33520 100644
--- a/Utility/WebApp.hs
+++ b/Utility/WebApp.hs
@@ -182,15 +182,20 @@ genAuthToken = do
-
- Note that the usual Yesod error page is bypassed on error, to avoid
- possibly leaking the auth token in urls on that page!
+ -
+ - If the predicate does not match the route, the auth parameter is not
+ - needed.
-}
-checkAuthToken :: Yesod.MonadHandler m => (Yesod.HandlerSite m -> AuthToken) -> m Yesod.AuthResult
-checkAuthToken extractAuthToken = do
- webapp <- Yesod.getYesod
- req <- Yesod.getRequest
- let params = Yesod.reqGetParams req
- if (toAuthToken <$> lookup "auth" params) == Just (extractAuthToken webapp)
- then return Yesod.Authorized
- else Yesod.sendResponseStatus unauthorized401 ()
+checkAuthToken :: Yesod.MonadHandler m => Yesod.RenderRoute site => (Yesod.HandlerSite m -> AuthToken) -> Yesod.Route site -> ([T.Text] -> Bool) -> m Yesod.AuthResult
+checkAuthToken extractAuthToken r predicate
+ | not (predicate (fst (Yesod.renderRoute r))) = return Yesod.Authorized
+ | otherwise = do
+ webapp <- Yesod.getYesod
+ req <- Yesod.getRequest
+ let params = Yesod.reqGetParams req
+ if (toAuthToken <$> lookup "auth" params) == Just (extractAuthToken webapp)
+ then return Yesod.Authorized
+ else Yesod.sendResponseStatus unauthorized401 ()
{- A Yesod joinPath method, which adds an auth cgi parameter to every
- url matching a predicate, containing a token extracted from the